fbpx
Skip to content

[Top] Zigbee Protocol Analyzer: What you need to know

Learn how to build a Zigbee Protocol Analyzer using a CC2531 dongle with Texas Instruments firmware. On this tutorial I will guide through the all process

Hardware Used

HardwarePriceStore
USB cc2531 Dongle5Vendor
CC Debugger15Vendor
Hardware – ZigBee Sniffer

cc2531 usb sniffer Features

  • Flashed with CC2531ZNP-Prod firmware for zigbee2mqtt application
  • Lead out 8 IO connectors
  • Debug interface
  • Size: 5.6*1.6*0.7cm
  • Two buttons and two LEDs for user interaction
Zigbee Protocol Analyzer
Zigbee Protocol Analyzer

CC Debugger

The CC Debugger is a small programmer and debugger for the TI Low Power RF System-on-Chips. It can be used together with IAR Embedded Workbench for 8051 (version 7.51A or later) for debugging and SmartRF Flash Programmer for flash programming. The CC Debugger can also be used for controlling selected devices from SmartRF Studio.

[Top] Zigbee Protocol Analyzer: What you need to know
CC Debugger

Software Used

SoftwareVersionDownload
Debian Buster armv7l5.10.103-v7
CC-Tool
Wireshark
WHsniff1.3WHsniff Git
Texas SnifferSniffer Firmware
Software – ZigBee Sniffer

Install all dependencies

In order to all software work we need to install some dependencies, execute:

sudo apt-get install -y libusb-1.0-0-dev wireshark libboost-all-dev p7zip-full

Install CC-Tool

rfs@offensive-wireless:~/ZigBee_Sniffer $ git clone https://github.com/dashesy/cc-tool.git
rfs@offensive-wireless:~/ZigBee_Sniffer $ cd cc-tool
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./bootstrap
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./configure
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ make
[Top] Zigbee Protocol Analyzer: What you need to know

Download Sniffer Firmware

[Top] Zigbee Protocol Analyzer: What you need to know
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer $ unzip swrc045z.zip -d firmware_extracted
[Top] Zigbee Protocol Analyzer: What you need to know
$ 7z e firmware_extracted/Setup_SmartRF_Packet_Sniffer_2.18.0.exe bin/general/firmware/sniffer_fw_cc2531.hex
[Top] Zigbee Protocol Analyzer: What you need to know
[Top] Zigbee Protocol Analyzer: What you need to know 15
sudo <path-to>/cc-tool -e -w <path-to>/sniffer_fw_cc2531.hex

Write the Firmware into cc2531

rfs@offensive-wireless:~/ZigBee_Sniffer $ sudo ./cc-tool/cc-tool -e -w sniffer_fw_cc2531.hex
[Top] Zigbee Protocol Analyzer: What you need to know

How to Install whsniff – Zigbee sniffer software

curl -L https://github.com/homewsn/whsniff/archive/v1.3.tar.gz | tar zx
cd whsniff-1.3
[Top] Zigbee Protocol Analyzer: What you need to know
[Top] Zigbee Protocol Analyzer: What you need to know 16
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ make
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ sudo make install
[Top] Zigbee Protocol Analyzer: What you need to know

Zigbee Protocol Analyzer

sudo whsniff -c 11 | wireshark -k -i -
ssh rfs@192.168.4.221 "whsniff -c 18" | wireshark -k -i -

Configure our ZigBee Packet Sniffer to decode

Can zigbee sniffer see ieee mac address?

Yes, any ZigBee sniffer can see ieee MAC Address.

nv-author-image

RF Security

Passionate about radio frequencies!